We Care Health Services Inc.
Privacy of Personal Information
Policy and Procedures
Privacy is the ability of an individual to exercise a substantial degree of control
over the collection, use and disclosure of their personal information. We Care Health
Services Inc. respects individuals rights to privacy, and has developed the following
policies and procedures to ensure these rights are honored.
We Care is committed to ensuring that personal information about clients, employees
and business partners is collected, stored, retained and disclosed in a way that
allows people to be informed about the use of the information and have confidence
in the processes we employ to safeguard the confidentiality of the information.
Our policy reflects the 10 principles of privacy set out in the federal Personal
Information Protection and Electronic Documents Act (PIPEDA). While other jurisdictions
have privacy legislation, the principles set out in the federal act are ones that
cover all aspects of privacy, and are the underlying principles of most legislation
These principles are:
- Identifying purpose
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
Principle 1 - Accountability
Accountability for compliance with the principles outlined in this document rests
with the Director of Human Resources for We Care corporate locations. Each Franchise
Director shall designate a member of their team to be responsible for Privacy in
- The individual appointed to be accountable for each location's compliance will be
known as the Privacy Officer. This individual shall have sufficient authority within
the organization to ensure compliance.
- Our commitment is to:
We will use reasonable means to ensure that personal information is given a comparable
level of protection while being processed by a third party.
- protect personal information;
- allow individuals to request information, seek amendments to their personal information;
- train and educate staff; and
- develop information that explains those procedures to clients and staff.
Principle 2 - Identifying Purpose
We will identify the purposes for which we collect personal information at or before
the time the information is collected.
- We will identify the purposes for which we collect personal information to affected
individuals at or before the time of collection.
- We may choose to identify such purposes orally or in writing .
Written notification will be used whenever practical to do so.
- We will identify any new purposes that arise during the course of dealing with personal
information - and obtain prior consent for this new use - even if we have already
identified certain initial purposes. However, we will only do this when
the intended new purpose truly constitutes a "new" use, i.e. when the
purpose now being proposed is sufficiently different from the purpose initially
Principle 3 - Consent
We will obtain the appropriate consent from individuals for the collection, use
and disclosure of their personal information, except where the law provides an exception.
- We may obtain express consent for the collection, use or disclosure of
personal information or we may determine that consent has been implied
by the circumstances.
- Express consent is a specific authorization given by the individual to We Care,
either orally or in writing. Implied consent is one in which We Care has not received
a specific authorization but the circumstances allow us to collect, use or disclose
- Express oral consent can be given in person or over the telephone. If we obtain
an express oral consent, we will make a note of that consent in the file.
- Consent may be withdrawn at any time.
- Exceptions: there are circumstances in which we are not required to obtain an individual's
consent or explain purposes for the collection, use or disclosure of their personal
information. This includes, but is not limited to:
- Collection: we may collect personal information without consent where it is in the
individual's interest and timely consent is unavailable, or to investigate a breach
of an agreement or a contravention of law.
- Use: we may use personal information without consent for similar reasons to those
listed beside "collection" above, and also in an emergency situation in
which an individual's life, health or security is threatened.
- Disclosure: we may disclose personal information without consent for law enforcement
and national security purposes, for debt collection, to a lawyer representing our
organization, and in an emergency situation in which an individual's life, health
or security is threatened.
Principle 4 - Limiting Collection
The personal information we collect will be limited to what is necessary for the
purposes we have identified.
- We will only collect personal information for specific, legitimate purposes. We
will not collect personal information indiscriminately.
- We will only collect information by fair and lawful means and not by misleading
or deceiving individuals about the purposes for which the information is being collected.
- Our policies and procedures relating to the limitation on collection of personal
information will be regularly communicated to our staff members who deal with personal
- Staff may need to obtain personal information about clients from third parties,
for example, those parties identified in the Personal Information Consent.
Principle 5 - Limiting Use, Disclosure and Retention
Personal information will not be used or disclosed for purposes other than those
for which it was collected, except with the consent of the individual or as required
by law. We will only retain personal information as long as necessary for the fulfillment
of those purposes.
- We will only use or disclose personal information for legitimate, identified purposes.
- We will retain personal information only as long as necessary for the fulfillment
of the purposes for which it was collected. We will abide by applicable legislation
in the province(s) in which we operate regarding retention periods of personal information.
- Personal information that has been used to make a decision about an individual will
only be retained long enough to allow the individual access to the information after
the decision has been made. This period will not exceed applicable legislated retention
- Personal information that is no longer required to fulfill identified purposes will
be destroyed, erased or made anonymous.
Principle 6 - Accuracy
The personal information we collect will be as accurate and up-to-date as necessary
for the purposes for which it is collected.
- Our organization will, on an on-going basis, ensure the accuracy and completeness
of personal information under our care and control.
- Individuals who provide their personal information to us are expected to do so in
an accurate and complete manner.
- As more particularly described in Principle 9 - Individual Access, we will provide
recourse to individuals who appear to have legitimate corrections to make to their
information on file. Once significant errors or omissions have been identified,
we will correct or amend the information to third parties who have had access to
the information in question (such as insurance carriers).
Principle 7 - Safeguards
We will safeguard the security of personal information under our control in a manner
that is appropriate with the sensitivity of the information.
- We will protect the security of personal information, regardless of the format in
which it is held, against loss or theft, and against unauthorized access, disclosure,
copying, use or modification.
- A higher level of protection will safeguard more sensitive information. However,
we will generally seek to achieve the highest level of security.
- In determining what safeguards are appropriate, we will consider the following factors:
Our methods of protection include:
- the sensitivity of the information;
- the amount of information held;
- the parties to whom information will be disclosed;
- the format in which the information is held; and
- the way in which the information is physically stored.
We will ensure that our policies and procedures on safeguarding personal information
are clearly communicated and accessible to our employees by:
- physical measures, such as locked filing cabinets and restricted areas;
- technological measures, such as the use of passwords and encryption.
We will take precautions in the disposal or destruction of personal information
to prevent unauthorized parties from gaining access to the information. These measures
- training staff on the subject of personal information protection, and
- having regular staff meetings in which we will review our procedures and revise
- ensuring that no one may retrieve personal information after it has been disposed
- shredding documents before recycling them; and
- deleting electronically stored information.
Principle 8 - Openness
We will make readily available to individuals specific information about our policies
and procedures relating to the management of personal information under our control.
- Individuals will be able to inquire about our policies and procedures without unreasonable
- We will tell our receptionist and other staff members who our Privacy Officer is
so that members of the public can easily be informed.
- We may choose to make information about our policies and procedures available in
a variety of ways, including putting the information on our website
- The information will make publicly available will include:
- the name, title and address of our Privacy Officer;
- means of gaining access to personal information held by the organization; and
- the description of the type of information held by the organization and a general
description of its use
Principle 9 - Individual Access
Upon request, an individual will be informed of the existence, use, and disclosure
of his or her personal information which is under our control, and may be given
access to, and challenge the accuracy and completeness of that information.
- Upon written request, an individual will be informed as to whether or not we hold
personal information about him or her. If we do hold such personal information,
upon written request, we will provide access to the information, as well as a general
account of its use.
- The manner in which access will be given may vary, depending on the format in which
the information is held (i.e. hard copy or electronic), the amount of information
held and other factors.
- Upon written request, we will provide a list of third parties to whom we may have
disclosed an individual's personal information. If we are unsure exactly which third
parties may have received the information, we will provide a list of third parties
likely to have received the information.
- The procedure for making a request is as follows:
- All requests must be made in writing, stating as specifically as possible which
personal information you are requesting.
- We will respond to a request within 30 days of receipt of the request, unless we
first advise you that we need a longer period to respond.
- Reasons - if we refuse a request, we will inform the individual in writing of the
refusal, explaining the reasons and any recourse the individual may have, including
the possibility that they may file a complaint with the Privacy Commissioner of
- Deemed refusal - notwithstanding sub-paragraphs (b) and (c), if we do not respond
within the above time limit, we will be deemed to have refused the request.
- There are also exceptions which will prevent us from providing access, including
- personal information about another person might be revealed;
- commercially confidential information might be revealed;
- someone's life or security might be threatened
- the information was collected with consent for the purposes related to an investigation
of a breach of an agreement or a contravention of the law; or
- the information was generated during the course of a formal dispute resolution process.
Principle 10 - Challenging Compliance
An individual may address a challenge concerning compliance with the above policies
and procedures to our Privacy Officer.
- Upon request, individuals who wish to inquire or file a complaint about the manner
in which we handled their personal information - or about our personal information
policies and procedures - will be informed of our applicable complaint procedure.
- To file a complaint, an individual must submit a written request outlining the basic
information and a description of the nature of the complaint.
- The procedure for filing a complaint about our organization is as follows:
We will document any complaints made by clients, as well as our actions in response
to complaints, by noting these details in the individual's file and also in a master
- a written request must be made to the Privacy Officer;
- we will acknowledge the complaint right away;
- we will assign someone to investigate;
- we will give the investigator unfettered access to files and personnel;
- we will clarify facts directly with the complainant, where appropriate; and
- we will advise the complainant in writing of the outcome of the investigation, including
any steps taken to rectify the problem, if applicable.
Chief Privacy Officer
C/O CBI Health Group Corporate Office
3300 Bloor Street West,
West Tower, Suite 900,
Toronto, Ont. M8X 2X2.
Tel: (416) 231 0078
Web site: www.wecare.ca